Restricting port selection

The usage of SYSPLEXPORTS implies that TCP/IP will select an ephemeral port for the secondary connection. An ephemeral port is any port that is free and not reserved in any way. The usage of an ephemeral port clashes with firewall best-practice to limit the ports that are opened for communication, because it is unknown which port will be used.

You can bypass this problem by forcing z/OS® Explorer to use known ports for the secondary connection by defining a unique _RSE_PORTRANGE per system, and ensuring that the port ranges used are reserved for z/OS Explorer usage on all systems. You should note that this bypass requires TCP/IP APAR PM63379.

To ensure that TCP/IP will route the secondary connection to the correct system, z/OS Explorer must use a unique port range on each system. This implies that you cannot use a shared, identical, setup for the systems as _RSE_PORTRANGE in rse.env must be unique. See Identical software level, different configuration files in Running multiple instances for information about how to set up multiple servers with different configuration files while using the same code. You should use a master copy of rse.env and a script to adjust and copy it to a system-specific setup to ensure the file remains identical across the different systems.

  1. Set up z/OS Explorer on SYS1 as if it was a single system setup, but ensure that /usr/lpp/IBM/zexpl and /etc/zexpl are located in a shared file system. All MVS based parts should also be shared with SYS2.
  2. Use /etc/zexpl/rse.env as the master copy and add a reference to /etc/zexpl to the end of the file so that the system-specific copies can pick up the remaining configuration files.
    $ oedit /etc/zexpl/rse.env
   -> add the following at the END: 
     # -- NEEDED TO FIND THE REMAINING CONFIGURATION FILES
     CFG_BASE=/etc/zexpl
     CLASSPATH=.:$CFG_BASE:$CLASSPATH
     # --
  3. Create /etc/zexpl/update.sh, a shell script that will copy the master rse.env and adjust _RSE_PORTRANGE
    $ oedit /etc/zexpl/update.sh
$ chmod 755 /etc/zexpl/update.sh
    Figure 1. update.sh - support DDVIPA setup with a firewall
    #! /bin/sh
# Licensed materials – Property of IBM
# 5655–EXP Copyright IBM Corp. 2012
# clone rse.env and set PORTRANGE for use with z/OS Explorer & DDVIPA

file=rse.env            #; echo file $file
sys=${1:–$(sysvar SYSNAME)}  #; echo sys $sys
dir=$(dirname $0)            #; echo dir $dir
# if sysname has a special char, precede it with \ (eg. SYS\$1)
case "$sys" in               # #### CUSTOMIZE THIS SECTION ####
  "SYS1") range=8108-8118;;
  "SYS2") range=8119-8129;;
esac                         #; echo range $range
echo "setting port range $range for $sys using $dir/$file"

if test ! $range ; then
  echo ERROR: no port range defined for $sys ; exit 12 ; fi
if test ! –e $dir/$file ; then
  echo ERROR: file $dir/$file does not exist ; exit 12 ; fi
if test ! –d $dir/$sys ; then
  echo ERROR: directory $dir/$sys does not exist ; exit 12 ; fi

mv $dir/$sys/$file $dir/$sys/prev.$file 2>/dev/null
sed="/_RSE_PORTRANGE/s/.*/_RSE_PORTRANGE=$range/"
sed "$sed" $dir/$file > $dir/$sys/$file

if test ! –s $dir/$sys/$file ; then
  echo ERROR creating $dir/$sys/$file, restoring backup
  mv $dir/$sys/prev.$file $dir/$sys/$file ; exit 8 ; fi
  4. Create directories /etc/zexpl/SYS1 and /etc/zexpl/SYS2 and run /etc/zexpl/update.sh to populate the directories.
    $ mkdir /etc/zexpl/SYS1 /etc/zexpl/SYS2
$ /etc/zexpl/update.sh SYS1
setting port range 8108–8118 for SYS1 using 
   /etc/zexpl/rse.env
$ /etc/zexpl/update.sh SYS2
setting port range 8119–8129 for SYS2 using 
   /etc/zexpl/rse.env
  5. Ensure that the RSED started task points to /etc/zexpl/&SYSNAME.
    //     CNFG='/etc/zexpl/&SYSNAME.'
Next, you must ensure that the defined port ranges are reserved for z/OS Explorer on all systems in the sysplex to ensure that the port number remains unique within the sysplex. Use the PORT or PORTRANGE statement in PROFILE.TCPIP to reserve all the ranges on every system. The job name of the RSE thread pool is RSEDx, where RSED is the name of the RSE started task, and x is a random single digit number, so wildcards are required in the definition.
PORTRange 8108 22 RSED*          ; 8108–8129 – z/OS EXPLORER
                                 ; – secondary connection

As documented in Connection flow, the port range in _RSE_PORTRANGE can be small. RSE server does not need the port exclusively for the duration of the client connection. It is only in the time span between the (server) bind and the (client) connect that no other RSE server can bind to the port. This means that most connections will be using the first port in the range, with the rest of the range being a buffer in case of multiple simultaneous logons.